Mon, 8 Feb 2010

Over the years we've offered almost all our tools, papers, presentations and other materials for free, albeit with a "registration required" proviso. The registration wall has been in place for some time now, and was used to track unique users as well as permit users to opt into SensePost mailruns. What we found though, is that registration is more of a hindrance than a benefit; it creates an artificial barrier with little reward. The data isn't that useful to us and the added steps just an extra annoyance for users, and we wanted to streamline things a little.

To that end, we've remove the registration requirement from our site. All our tools, papers, presentations and other materials are now available for direct download without any registration needed. Go ahead, grab a copy of Wikto. Our main research page is here.

Of course, we still have all those registrations along with email addresses and so on. For those users who chose not to receive mail, we'll purge your details entirely from our database. Only if you opted into mailruns will we retain your address.

Hopefully this makes your experience on our site a little less bothersome!

6 comments

Second, can you talk a little bit more about how use(ful|less) the data these registration walls provided SensePost? Metrics would be good. We fought and lost many fights at HP when we want to release web security tools like Scrawlr and SWFScan without a registration barrier mainly because higher up demanded some kind of return for our work. "Increasing though leadership" (aka cool stuff we thought of while drunk) was never good enough. What can you tell us?

Our registration wall has been in place for a while now, exceeding 5 years, and in truth the data was not that useful to us. Possible explanations include the fact that we don't currently justify research by looking at registrations numbers (though this may once have been the case), the stored data doesn't have a timestamp component (an oversight, but it means we can't trend the data), and we didn't seek to strongly verify data (so much of it is bogus "bugmenot"-type data). We are lucky; as a small company it's quite easy to show the correlation between interesting research and sales leads, and doing cool stuff is baked into our ethos. The registration wall was a relic, unneeded, and deserved to go.

Aside from that, here are some basic numbers:

Total unique email addresses (unverified): 58364

Of those, 55% claimed to be security professionals, 12% claimed to be students. The remainder were distributed at low rates.

About 30% of registrations were from North America, 25% from Europe, 15% from Africa and 15% from Asia.

80% from users found us on the web, with another 9% coming to us on the basis of a referral.

26% of users opted to receive mail.

The most common first name amongst registrants was John (1.9%), followed by David (0.9%) and Mike (0.8%)

The most common surname was Smith (0.9%), followed by b (0.4%) and a (0.4%). People like to remain incognito.

The registration was mostly on my insistence (being 'higher up') and ironically it was me who instigated the tear-down (although it obviously wasn't originally my idea). My reasoning at the time mirrored that of your own 'higher ups'. Basically I felt that since our research and tools cost us to produce, it was fair to ask for something in return (whether it be tracking data, marketing capital, or just a boost to our collective egos). I also felt that anyone who was willing to make the effort to read the paper or learn the tool wouldn't mind the (little) effort required to register. Lastly, I felt that if there was no 'cost' associated with the resource it cheapened it. I.e. Something that's gotten for free is often not appreciated for what its worth.

In truth, we never did anything with the data we collected. With the exception of one or maybe two very early mail runs, we generally considered the use of the mail address list for marketing purposes to be useless at best or potentially damaging at worst. Lacking any kind of real marketing capacity within our team, we never really used the data for tracking either, other than perhaps the occasional ego boost for which HTTP logs would also suffice.

The last motivator (attaching a cost to the resource to demonstrate value) may still hold in my view, but in my mind has now been superseded by the responsibility of holding and protecting other people's personal information. The risk of holding the data outweighs any benefit we glean from having it. Although we collected only very minimal data, it is valuable nevertheless and I wanted to rather be rid of it than have to worry about it.